Line break in grok pattern

Elastic Stack Logstash
1

I am trying to get the data from a log, however in the middle of the log there is a line break which prevents the Grok filter from reading it correctly. If I adjust it to a single line it works, however, it would require the line break to be found

How could you tell Grok that there will be a jump and take the following data?

This the log

{C-FLOW-ID-CAB APN101MQ C-OPERATION-CAB P T-EVENTO-CAB RUNNING T-EXTERNAL-ID-CAB null F-MESSAGE-CAB 20221018 H-MESSAGE-CAB 601006 C-MESSAGE-ID-CAB DC45D4AA6B3D0000 M-STATUS-CAB 02 
[<FOTO><Status>RUNNING</Status><EVENTO>2022101806:01:00.0</EVENTO></FOTO>]}

This is my grok filter

grok {
        match => { 'message' => '(?:[^:]+) %{WORD:C-FLOW-ID-CAB} (?:[^:]+) %{WORD:C-OPERATION-CAB} (?:[^:]+) %{WORD:T-EVENTO-CAB} (?:[^:]+) %{WORD:T-EXTERNAL-ID-CAB} (?:[^:]+) %{WORD:F-MESSAGE-CAB} (?:[^:]+) %{WORD:H-MESSAGE-CAB} (?:[^:]+) %{WORD:C-MESSAGE-ID-CAB} (?:[^:]+) %{WORD:M-STATUS-CAB} \[%{GREEDYDATA:DETAIL}\]'}
    }
2

Can you show how the message looks like? A single line or two lines? Filebear or file should use multiline pattern or if is a single line remove \n from the message with gsub or add \n or .{1,3} in front [<FOTO><Status>...

.{1,3}\[%{GREEDYDATA:DETAIL}\]
\\n\[%{GREEDYDATA:DETAIL}\]

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.